The tools your computer forensics expert brings to your case

In the prior article in this series, I pointed out that the situations that will require a computer forensics analyst are people issues first. The tools your computer forensics expert brings to your case also begin with people skills. Investigating computer systems and working effectively with enterprise IT staff require finesse and the ability to deal well with stakeholders.

My former partner Mitch Dembin wrote an article a number of years ago comparing technical people to his fellow attorneys. Mitch explained that computer people are binary, and lawyers deal in gray areas. I often see this in practice. In a case where a former employee denied having printed an important file, my attorney client asked IT administrators if there were print logs. An IT administrator told the attorney no. The next day I was working with the same admin and sat with him at a workstation. I asked him to bring up the Windows event logs. No, they are not called print logs in Windows. I saw the Windows event logs had records for about 150 print queues on the network, including the printer used by the former employee. As it turned out, the Windows event logs had recorded his user name as having printed a file with the right name and size as reported by witnesses.

An understanding of both the technology and the people who interact with that technology is a tool your computer forensics expert will use to investigate systems. We also ensure your discovery obligations are met. In another interview with an IT manager, I learned she continued to delete email backups although she had received a legal hold notice. She was more concerned about running out of storage space than legal hold instructions.

Recently, I was browsing the agenda for an upcoming computer forensics conference and saw how analysis, incident response and e-discovery and legal tracks reflect how much this field has grown. The tools forensics experts have are reflected in the varied tracks and sessions I saw. Sessions on examination of Windows and Mac computers, examination of mobile devices, cloud storage, e-discovery, intrusion incidents, recovery of evidence from system memory and iTunes backups were among the many topics covered. Considering these different techniques and applying them efficiently are also key to controlling costs. How work is staged by the team that supports your expert when confronting litigation or potential litigation will affect the bill you receive at the end of the engagement.

Your computer forensics expert will likely direct a number of analysts, each with a different mix of technical skills. Your expert’s team may include analysts who understand programming languages or are skilled in intrusion (“hacker”) investigations. Each will have an understanding of forensic hardware and software tools. During my time in the U.S. Marine Corps many years ago, I learned that every Marine is a rifleman first; that is, every Marine must possess the basic skills of an infantryman before going on to master a particular specialty. I believe that applies to the team a forensics expert brings to your case. The core skills of properly documenting and preserving data, performing a rich set of analysis with an array of tools and recording observations or extracting the data which will be reviewed by a litigation team are the tools your expert will always draw upon. The expert’s team members will then have additional specific interests or training to warrant assigning specific analysis tasks accordingly.

Planning what analysis tasks are appropriate to each case will help your expert manage costs. Not every case requires the examination of mobile devices, for instance. If the issue involves data that is stored on a device or source already preserved, like email on a server or mobile device data on an iTunes backup on a PC, there may be no need for the expense of acquiring a backup of the mobile phone.

Also, planning the analysis in stages, by committing to a budgeted preliminary examination first, will help you manage costs. Your expert’s team can look for indicators that are relevant to your case before proceeding with additional investigation. During analysis the expert’s team should work closely with the case team because there are sources of forensic data which will not make it into your review database. Recovered remnants of deleted documents, temporary files and links used as shortcuts to files in Windows are examples of data that is not normally part of the information in a document review database but may help you piece together the evidence that helps tell the story of the important documents in your case.

Along with the technical tools your computer expert brings to your case should be the ability to communicate the results of the forensic analysis. Whether briefing C-level executives or providing testimony at deposition or trial, your computer forensics expert will need to reduce the technical tasks the team has performed to language that techies and non-techies alike will understand. Although the number of cases that require testimony is very small compared to the number of matters we are involved in every year, each case should be worked and documented as though it will see a courtroom. The payoff for work done by your expert can mean avoiding sanctions or finding a remnant of that smoking gun document. The tools your expert has brought to bear will ensure that your computer evidence has been identified, preserved and analyzed in a sound manner. The defensibility of work that your expert does is perhaps the most important tool.